The Three Questions Every Board Should Be Asking Their IT Team

How to get honest answers from your IT team

The challenge with board-level technology questions is not that IT teams are dishonest. It is that they are optimistic. They report what they believe to be true, and what they believe to be true is often what the systems were designed to do, not what they are actually doing. The firewall rules say traffic is blocked. The IT team believes traffic is blocked. Nobody has tested whether it actually is.

The way to get past this is to ask for evidence, not assurances. When the IT team says backups are running, ask for the last restore test log. When they say access is reviewed quarterly, ask for the last review sign-off. When they say the business would recover within four hours, ask for the last tabletop exercise report. The answers that come with evidence attached are the ones you can trust. The ones that come with a verbal assurance are the ones that need a follow-up.

This is not about distrust. It is about governance. A board that accepts verbal assurances on technology risk is not doing its job. The same standard applies to financial reporting — nobody would accept a CFO saying “I think the cash position is fine” without a bank statement. Technology risk deserves the same rigour. The gap between security policy and security reality is exactly the kind of thing these questions are designed to uncover.

What a good technology governance framework looks like

A board that wants to get technology governance right does not need to become technical. It needs a framework. A quarterly technology report that answers the same three questions every time: what are our critical systems, what is their recovery capability, and what has changed since last quarter. A risk register that tracks technology risks alongside financial and operational risks. An annual independent review of the technology function, not by the same people who run it.

The framework does not need to be expensive or complicated. It needs to be consistent. The same questions, every quarter. The same format, every report. Over time, the board builds a picture of how technology risk is trending, and the IT team knows what will be asked. That predictability is what turns technology governance from a box-ticking exercise into an actual management tool.

The fourth question boards should ask

There is a fourth question that does not get asked often enough: what is our plan for the technology we will need in eighteen months? Most boards focus entirely on the current state — is it working, is it secure, is it compliant. Few boards ask whether the technology strategy is preparing the business for where it is heading. This is the question that separates governance from management. Management keeps the lights on. Governance makes sure the lights are pointed in the right direction.

A good answer to this question includes a technology roadmap that aligns with the business strategy. If the business plans to expand into new markets, the technology roadmap should show how the systems will scale. If the business plans to launch a new product, the roadmap should show how the technology will support it. If the business plans to improve margins, the roadmap should show where automation and efficiency gains will come from. A board that does not ask this question is governing in the rearview mirror.

This forward-looking question is where a fractional CTO adds the most value for a board. They bring the strategic technology perspective that internal IT teams often lack the time or mandate to develop. They can articulate where the technology is heading, what the risks and opportunities are, and what the board should be thinking about now to avoid problems later.

How to build a board that asks better questions

The best boards do not wait for the IT report to arrive. They build technology literacy into their governance structure. That means having at least one board member who can read a technology risk register the same way the audit committee reads a financial risk register. It means scheduling a dedicated technology deep-dive once a year, separate from the quarterly update. It means asking the IT team to present one risk in detail each quarter, not just the dashboard summary.

It also means being willing to bring in external expertise when the board does not have the technology literacy internally. An independent technology advisor who reports to the board, not to the IT team, can ask the questions that internal staff are reluctant to raise. This is not a reflection on the IT team. It is a recognition that governance requires independent oversight, and technology is too important to be governed entirely by the people who run it. The same principle applies to POPIA compliance — independent validation is the only way to know whether the controls are actually working.

Need Help With Your Security or IT?

We work with South African businesses to assess, deploy, and manage security and IT that actually fits. No jargon, no scare tactics. Practical advice and real support.

Contact Us →

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *